IBM: malware economics, web security biggest issues of 2008

It's time for another security year-in-review, and IBM's X-Force reports are …

Every year, IBM's X-Force releases a report on the current state of computer security, what we saw throughout the previous year, and what the team expects to see in 2009. This year brings several significant changes to the report format, including a new metric system for predicting the economic value of an exploit. The economic angle is one we've discussed at Ars on numerous occasions; the malware market can't be treated or evaluated as if it's being run from college dorm rooms or the basements of various, single thirty-somethings. Malware has gone commercial; there's no looking back.

IBM's X-Force report (PDF) is chock-full of security goodness; it's difficult to discuss the entirety of the 106-page document in a single article. Covered topics include malware economics, the rise of web vulnerabilities (and what they are), spam, phishing, malware trends, and the various notable events of 2008. Security vulnerability disclosure is both a significant topic and a mixed bag of results.

First a bit of good news—the pace of vulnerability discovery and disclosure has tapered off since 2006; the team speculates that we may have reached a plateau now that the vast majority of low-hanging fruit has been plucked. On the other hand, given the surge of web vulnerabilities and the pathetic response from the vendors in question (we'll get to both of these), the trend isn't clear. For now, however, the curve is flattening.

X-Force catalogued a record number of vulnerability disclosures in 2008—7,406 in total, a 13.5 percent increase over 2007. The type and severity of the vulnerabilities differed substantially from what we saw in 2007 as shown above. The total number of vulnerabilities may have grown, but the number of "Critical" flaws—arguably the most important category—fell by 50 percent. Growth in the Medium and High segments fueled the year-on-year increase and more than offset the reduced number of minor flaws.

The top ten (and everyone else)

Ranking

Vendor

Disclosures (percent)

1.

Microsoft

3.16

2.

Apple

3.04

3.

Sun

2.19

4.

Joomla!

2.07

5.

IBM

2.00

6.

Oracle

1.65

7.

Mozilla

1.43

8.

Drupal

1.42

9.

Cisco

1.23

10.

TYPO3

1.23

The top 10 vendors collectively accounted for 19.4 percent of all security vulnerabilities. The Who's Who of vendors in 2008 has a few new entries including two web-based applications written in PHP and designed to interact with SQL (X-Force specifies open source SQL) back-ends. Joomla!, Drupal, and TYPO3 fall into this category. It's not clear what Mozilla product accounted for the organization's appearance in 2008; the report notes that Firefox is Mozilla's most famous—but not its only—product.

There's a mixed bag of good-news/bad-news in the vulnerability disclosure section. Good News: Just 19 percent of the vulnerabilities discovered in 2008 remained unpatched by the end of the year (compared to a 53 percent average for all companies). The number of OS and browser vulnerabilities reported in 2008 declined significantly, both in percentage and absolute terms, and the total number of vulnerabilities in multimedia applications grew by just half the rate reported in 2007.

Ready for the other shoe? The total number of web vulnerabilities exploded in 2008, driven by a huge spike in SQL injection attacks (up 134 percent last year). Web applications in general have driven total vulnerability growth at a meteoric pace over the last decade and accounted for 54 percent of the total vulnerabilities reported. It's not clear what, precisely, pushed malware developers toward SQL injection and IFRAME attacks this past year and away from cross-scripting attacks (by far the most popular approach in 2007. What is clear, however, is that the response from web application vendors is pathetically inadequate. Of all the web application vulnerabilities revealed in 2008, just 26 percent of them were patched by the end of 2008.

Other problems continue to compound the web vulnerability issue including what X-Force deems "Good websites Using Bad ActiveX Controls." As we mentioned, client-side vulnerabilities trended downwards in 2008, though VOIP clients were a notable exception; the total number of VOIP client flaws rose 49 percent over the past 12 months. Document readers were also an issue (Microsoft Office and Adobe Acrobat are both listed in this category), but again, browsers are the major target of most online attacks.

The economic angle

One of the most significant changes to X-Force's reporting system is the team's decision to include an economic ranking system as well as reports from more traditional vulnerability ranking methodologies.

"More careful consideration of the way that vulnerabilities fit into the business models of criminal organizations will help better prioritize IT protection and patching efforts," reads the report. "Both revenue (opportunity) and cost are made up of a complicated set of components, and some of these components can be influenced by the security industry."

In order to measure these economic effects, X-Force created a four-quadrant ranking system that ranks an exploit's characteristics according to the ease with which it may be monetized, exploited, and mass-deployed. The fourth quadrant represents the intrinsic value of the attack, or the approximate value of the data that can be extracted on a per-computer basis. An attack that's easy to monetize, easy to exploit, and mass-targetable that produces data of absolutely no value is highly unlikely to be popular.

The security researchers then step through a number of the high-profile attacks in 2008, ranking each of them according to the four characteristics we've just discussed. We've discussed the monetization of the malware industry and the need to consider economic factors when evaluating threats at length in the past; feel free to refer to our previouscoverage for more information on the topic. It's important that the need for such viewpoints is catching in the white hat market—understanding the economic value of an attack is essential when evaluating its criticality.